1. What This Policy Covers
This policy applies to personal information we collect from:
- Users who register and use the Service (Restaurants, Suppliers, and their staff);
- visitors to our website;
- prospective customers we engage with through marketing or outreach;
- individuals whose contact details are provided to us by Users (for example, a supplier contact submitted by a restaurant).
2. Personal Information We Collect
Identity and contact information: name, business name, ABN, business role, email address, phone number, business address.
Account information: login credentials (passwords are stored hashed, not in plain text), user preferences, role (restaurant, supplier, admin), subscription tier.
Transactional information: orders placed, products viewed, catalogues uploaded, prices, invoices, communications between Users on the platform, watchlists.
Payment information: payment details are collected and stored by our third-party payment processor; we receive limited tokens and transaction metadata, not your full card number.
Trade-account information (Restaurants only). If you choose to fill in the Trade Account section of the Service, we additionally collect: business structure (sole trader / partnership / company / trust), registered and trading addresses, GST registration status, accounts payable / purchasing / delivery contact details, bank account details (BSB and account number), requested trade-credit terms, expected monthly purchase volume, and contact details for up to three trade references. Bank account details are encrypted at rest using Supabase Vault and are not accessible to FreshLink staff under any normal support process — see clause 8 (Data Security). The Trade Account section is optional: you can use the Service without filling it in. If you do fill it in, you control which fields and which documents are shared with which Suppliers (see clause 5 — Disclosure).
Trade-account documents (Restaurants only).If you upload documents to the Trade Account section, we additionally hold copies of: food handling certificates, public liability insurance certificates, driver's licence (used as an identity verification document by suppliers running their own credit checks), and ABN extracts. Documents are stored in a private storage bucket gated to your account; Suppliers receive access only via a time-limited link issued at the moment of an explicit share you initiate (see clause 5).
Information about people you nominate as trade references. If you provide trade references, you give us the name, business, phone number, and email address of up to three other businesses. By providing this information, you confirm that you have the authority of those reference contacts to share their details with FreshLink and with the Suppliers you nominate to receive them. You are responsible for ensuring those references are aware their details have been shared.
Technical information: IP address, browser type, device identifiers, pages visited, interaction events, and other analytics data.
Communications: messages you send through our in-platform chat, email, or messaging integrations.
Business information from third parties: where permitted, we may enrich your business profile with publicly available data (for example, from ABN Lookup or business directory sources).
We do not knowingly collect sensitive information in the technical sense defined by the Privacy Act 1988(Cth) (race, religion, health, sexual orientation, biometric data, etc.). The driver's licence we accept in the Trade Account section is collected as an identity-verification artefact only, used solely for the Trade Account purpose, encrypted at rest, and accessible only to you and to Suppliers you explicitly share it with. We ask that you do not submit any other sensitive information through the Service.
3. How We Collect Personal Information
We collect personal information:
- directly from you when you register, use the Service, upload content, or communicate with us;
- automatically through cookies, analytics tools, and server logs when you use the Service;
- from third-party sources, such as public government registries or business directory providers, where lawful and proportionate;
- where another User refers or invites you to the platform.
4. Why We Collect and Use Personal Information
We use personal information to:
(a) provide and operate the Service, including authentication, order management, messaging, and billing;
(b) verify your business identity and eligibility to use the Service;
(c) process payments;
(d) provide customer support and respond to enquiries;
(e) send service communications (for example, order confirmations, billing notices, security alerts);
(f) send marketing communications where permitted under the Spam Act 2003 (Cth) and our communications preferences;
(g) improve, personalise, and develop the Service, including training and refining our search, categorisation, and recommendation systems;
(h) detect, prevent, and respond to fraud, misuse, and security incidents;
(i) produce de-identified, aggregated analytics and insights as described in clause 11 below;
(j) comply with our legal obligations.
5. Disclosure of Personal Information
We may disclose personal information to:
Other Users of the Service. Supplier listings and business profile information are displayed to Restaurants; Restaurant order details are disclosed to the relevant Supplier. We only disclose what is necessary for the Service to function.
Service providers. We engage trusted third parties to help us operate the Service, bound by confidentiality and data-protection obligations. These providers fall into the following categories:
- hosting, database, and cloud infrastructure providers;
- payment processors;
- accounting and invoicing integration partners;
- messaging, email, and notification providers;
- error monitoring and observability providers;
- analytics providers;
- business data enrichment providers (including public government registry and business directory APIs);
- AI and machine-learning service providers used to categorise, extract, and enrich content.
A current list of our key sub-processors is available on request by emailing info@freshlinkhub.com.au.
Professional advisers: lawyers, accountants, auditors, and insurers, bound by confidentiality.
Authorities: where required or authorised by law, including to law enforcement, regulators, or courts.
Successors: if we sell, merge, or restructure the business, personal information may be transferred to the successor entity, subject to equivalent privacy protections.
We do not sell your personal information.
6. Overseas Disclosure (APP 8)
Some of the service providers described in clause 5 store or process personal information outside Australia. Recipients are typically located in Australia and the United States, and in some cases in other jurisdictions where our providers operate global infrastructure.
Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles it in a manner consistent with the APPs, including:
- selecting providers that offer enterprise-grade security and published privacy commitments;
- entering into contractual terms that require compliance with applicable privacy and data-protection standards;
- using data-processing addenda or equivalent safeguards where available.
By using the Service, you acknowledge that your personal information may be disclosed to overseas recipients for the purposes described in this policy.
7. Data Retention
We keep personal information only for as long as necessary to provide the Service and meet our legal obligations.
| Category | Retention |
|---|---|
| Account and profile information | For the life of your Account, plus a 30-day grace period after termination, then deleted or de-identified within 90 days |
| User-uploaded Content (catalogues, menus, messages) | Same as above |
| Order, invoice, and payment records | Up to 7 years after the relevant transaction, as required by Australian tax and corporate record-keeping laws |
| Server logs and analytics events | Typically 12–24 months |
| Records we are required by law to retain | For the period required by law |
| De-identified and aggregated data | May be retained indefinitely, as it no longer identifies you |
| Trade Account profile fields (bank, contacts, references) | For the life of your Account, plus the 30-day grace period; deleted within 90 days unless retention is required by law |
| Trade Account documents (food handling, public liability, drivers licence, ABN extract) | Same as above. Documents marked with an expiry date are not auto-deleted on expiry — you remain responsible for replacing expired certificates |
| Records of Trade Account sharing decisions and revocations | 7 years from the date of the sharing or revocation, for audit-trail and dispute-resolution purposes |
| Bank-detail decryption audit log | 7 years from the date of the access event |
You may request deletion at any time — see clause 10.
8. Data Security
We take reasonable steps to protect personal information from loss, misuse, interference, unauthorised access, modification, and disclosure, including:
- encryption in transit (HTTPS/TLS);
- encryption at rest for all data, with bank account details additionally protected by a per-record encryption envelope (Supabase Vault) so that even FreshLink staff with database read access cannot decrypt them;
- role-based access controls and row-level security at the database layer, restricting Trade Account data so that only the Restaurant Account that entered it can read it;
- hashed password storage;
- activity logging and monitoring, including a per-event audit log of every time a Restaurant reveals their own bank details;
- regular security reviews and dependency updates.
FreshLink staff access to Trade Account data is restricted by design. FreshLink platform administrators can view metadata about your Trade Account (whether a profile exists, completeness, certificate validity dates) and the contents of certificates uploaded for FreshLink Verification review, but they cannot decrypt your bank account details. There is no support flow that requires FreshLink staff to view your bank details — if you cannot remember what bank details you have on file, you can log in and reveal them yourself; if you cannot log in, please reset your password rather than ask FreshLink to read them on your behalf. The only exception is a court order, regulator request, or other binding legal demand: see clause 8.1.
8.1 Legal demands for encrypted data. If FreshLink receives a binding legal demand (court order, AFP / AUSTRAC / OAIC notice, valid subpoena) requiring disclosure of bank details associated with a specific Account, an authorised officer of The Growth Protocol Pty Ltd will perform a one-off, recorded operator action to extract the requested data from Supabase Vault for the named Accounts only. Each such extraction is logged in our internal audit trail and (where permitted by law) the affected Account holder is notified.
No system is completely secure. If we become aware of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.
9. Cookies and Analytics
The Service uses cookies and similar technologies for essential functionality (for example, keeping you logged in) and for analytics (for example, understanding how features are used).
You can disable or delete cookies in your browser settings. Disabling essential cookies may prevent parts of the Service from functioning.
By using the Service you consent to our use of cookies as described in this policy.
10. Your Rights
Under the Privacy Act and the APPs you have the right to:
Access your information. You may request a copy of the personal information we hold about you.
Correct your information. You may ask us to correct information that is inaccurate, incomplete, or out of date.
Delete your information. You may ask us to delete your personal information, subject to our legal retention obligations (see clause 7).
Export your information. You may request an export of your Content at any time before deletion.
Withdraw consent. You may unsubscribe from marketing communications at any time via the unsubscribe link or your Account settings.
Complain. See clause 13 below.
To exercise these rights, contact us at info@freshlinkhub.com.au. We will respond within a reasonable period (typically 30 days). We may need to verify your identity before acting on a request.
11. De-identified and Aggregated Data
We may produce de-identified, aggregated insights from platform activity — for example, market pricing trends, category demand, regional procurement patterns. Before any aggregated insight is published, shared, or sold:
- direct identifiers (business name, ABN, email) are removed;
- data is grouped across a minimum of five (5) Users wherever business-level detail is reported;
- location is generalised to region or postcode-group level;
- specific SKUs and supplier-level prices are not disclosed externally.
Once produced to this standard, aggregated data no longer constitutes personal information under the Privacy Act and is not subject to this Privacy Policy.
Further detail is set out in our Data Use Schedule.
12. Children's Privacy
The Service is a B2B platform and is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will delete it.
13. Complaints
If you believe we have breached the Privacy Act or this policy:
- Contact us at info@freshlinkhub.com.au with a description of the concern. We will respond within a reasonable period (typically 30 days) and work with you to resolve it.
- If you are not satisfied, you may lodge a complaint with the Office of the Australian Information Commissioner:
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
14. Changes to This Policy
We may update this policy from time to time. For material changes we will provide at least 30 days' notice by email and by prominent notice on the Service. Continued use after the change takes effect constitutes acceptance.
15. Contact
The Growth Protocol Pty Ltd
ABN 59 680 355 060
Trading as FreshLink Hub
1 Bromley Road, Huntfield Heights, South Australia 5163
Privacy contact: info@freshlinkhub.com.au